[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Dec 2 01:07:19 EST 2011

Ben Laurie <ben at links.org> writes:

>They appear to actually be selling sub-RA functionality, but very hard to
>tell from the press release.

OK, so it does appear that people seem genuinely unaware of both the fact that
this goes on, and the scale at which it happens.  Here's how it works:

1. Your company or organisation is concerned about the fact that when people
go to their site (even if it's an internal, company-only one), they get scary

2. Your IT people go to a commercial CA and say "we would like to buy the
ability to issue padlocks ourselves rather than having to buy them all off

3. The CA goes through an extensive consulting exercise (billed to the
company), after which they sell the company a padlock-issuing license, also
billed to the company.  The company is expected to keep records for how many
padlocks they issue, and pay the CA a further fee based on this.

4. Security is done via the honour system, the CA assumes the company won't do
anything bad with their padlock-issuing capability (or at least I've never
seen any evidence of a CA doing any checking apart from for the fact that
they're not getting short-changed).

This is why in the past I've repeatedly referred to "unknown numbers of
unknown private-label CAs", we have absolutely no idea how many of these
private-label CAs are out there or who they are or who controls them, but
they're probably in the tens, if not hundreds, of thousands, and many are
little more than a Windows server on a corporate LAN somewhere (and I mean
that literally, it was odd to sit in front of a Windows 2000 box built from
spare parts located in what used to be some sort of supplies closet and think
"I can issue certs that chain to $famous_ca_name from this thing" :-).

Going through the process is like getting a BS 7799 FIPS 140 certification,
you pay the company doing the work to get you through the process, and you
keep paying them until eventually you pass.  The only difference is that while
I've heard of rare cases of companies failing BS 7799, I've never heard of
anyone failing to get a padlock-issuing license.

Are people really not aware of this?  I thought it was common knowledge.  If
it isn't, I'll have to adapt a writeup I've done on it, which assumes that
this is common knowledge.


More information about the cryptography mailing list